Address blocked worknssrv.cn/dd/mod_ddos

[Rickzkm]

Hi,

I have Eset security alert popping up every second or so with this message:
Address blocked worknssrv.cn/dd/mod_ddos



I am concerned, but Eset full PC scan revealed my computer is clean.

could someone help please?

[funkydude]

Something is trying to dial home, as to what, is a mystery. I think the best thing is to download ESET SysInspector, produce a log and email it to support("at")eset.com with this threads URL in the subject.

[Rickzkm]

Thank you. Good job that Eset stopped it!

just yesterday searching for "worknssrv.cn/dd/mod_ddos" but today Google shows more forums people ask about this.

by the way I have noticed it's schvost.exe process which I understand is system process.

Oh and today I have periods with alerts but now it seems to be quiet. I have never seen anything like this.

[Derek_M]

I am also getting this message that continually flashes up. I have done full system scan with ESET SysInspector and it come up with nothing, and also a full in-depth scan as suggested by Eset Support and again nothing.
Does anyone have any suggestions what to try next as this is becoming a real pain.

[Rickzkm]

It seems like computer is infected and file infected is:
c:\windows\system32\admparset.exe

ESET support advised me to zip this file and send it to them but moment I created the zip file ESET deleted the infected file.
May be try doing same thing but I would definitely contact ESET support.

[Derek_M]

Thanks for your reply, unfortunately I don't seem to have that file when I did a search for it, so the search for a fix continues

[Rickzkm]

It is a hidden file so you need to make sure when viewing that location you can see hidden files (I personally don't use the explorer to browse PC).
I'm sure you can google it up how to enable viewing hidden files.

[Rickzkm]

I have just finished online session of remote assistance with ESET technical support and If you get this kind of message popping up, you are infected by a trojan.
When this happened to me, there was no signature of this in Eset database but three days after Eset actually detected this trojan and quarantined infected file.
In conclusion this matter should be resolved if you have latest database signature from Eset, otherwise you should contact support and ask for help.

My PC is clean now.

[funkydude]

Quote:

Originally Posted by Rickzkm

It seems like computer is infected and file infected is:
c:\windows\system32\admparset.exe

ESET support advised me to zip this file and send it to them but moment I created the zip file ESET deleted the infected file.
May be try doing same thing but I would definitely contact ESET support.

Can you please explain in more detail what happened? Firstly you say it wasn't detected then it was? It's quite confusing. If it was detected it should have been cleaned, if not then send the file to samples("at")eset.com in a zip file with the password "infected". You can also disable nod32 and restore files from quarantine if it was a random heuristic detection.

[Rickzkm]

The PC was infected all along but Eset did not have this file and behavior in database of threats so I did not detected it.
Three days after, signature was added to Eset database and only then infected file was detected and quarantined.

[funkydude]

Quote:

Originally Posted by Rickzkm

The PC was infected all along but Eset did not have this file and behavior in database of threats so I did not detected it.
Three days after, signature was added to Eset database and only then infected file was detected and quarantined.

What was the name of the infection in your quarantine? Also, are you fine now?

[Rickzkm]

admparset.exe was infected Win32/IRCBot trojan

Yep, clean now.

[funkydude]

Quote:

Originally Posted by Derek_M

Thanks for your reply, unfortunately I don't seem to have that file when I did a search for it, so the search for a fix continues

Is yours detected now? If it's not try locating the file and submitting it to ESET as directed in my previous post.

[Derek_M]

Quote:

Originally Posted by funkydude

Is yours detected now? If it's not try locating the file and submitting it to ESET as directed in my previous post.

I have not detected the file yet, every search I have done comes up blank and so does the Eset scan.

[Rickzkm]

May be you could try locating that file manually at specified location in above post, don't forget to enable hidden files view.

By the way if your scan revealed no infection, are you still getting the messages popups?

[Derek_M]

Quote:

Originally Posted by Rickzkm

May be you could try locating that file manually at specified location in above post, don't forget to enable hidden files view.

By the way if your scan revealed no infection, are you still getting the messages popups?

I have done all that, but the file mentioned above is not there. Yes i I am still getting the popups, it lasts for about 1 hour then stops.

[Rickzkm]

Seems like you might have different version of the trojan. Definitely contact Eset for support.

[Derek_M]

Quote:

Originally Posted by Rickzkm

Seems like you might have different version of the trojan. Definitely contact Eset for support.

How did you find the infected file?

[mvdu]

I'm curious - it was good that ESS blocked the address, but how did it do it?

[funkydude]

Quote:

Originally Posted by Derek_M

How did you find the infected file?

I would think it would be in your statup processes? Anyway, download ESET Sysinspector, create a log, send it to support("at")eset.com with this threads URL as the subject.

Quote:

Originally Posted by mvdu

I'm curious - it was good that ESS blocked the address, but how did it do it?

Not sure I understand the question, it's probably a known abused IP, well it seems different trojans all use the same one.

[mvdu]

Quote:

Originally Posted by funkydude

I would think it would be in your statup processes? Anyway, download ESET Sysinspector, create a log, send it to support("at")eset.com with this threads URL as the subject.



Not sure I understand the question, it's probably a known abused IP, well it seems different trojans all use the same one.

Ok - so I guess there's a blocklist built into ESS.

[CivilTaz]

Quote:

Originally Posted by mvdu

Ok - so I guess there's a blocklist built into ESS.

Yes, there is.

[Derek_M]

Quote:

Originally Posted by funkydude

I would think it would be in your statup processes? Anyway, download ESET Sysinspector, create a log, send it to support("at")eset.com with this threads URL as the subject.

I have tried that as well but Sysinspector is not finding anything. Its looking like a reformat of my hard drive

[Derek_M]

Finally got them, after browsing for more info into malware I found out about Malwarebytes-anti-malware. I installed and run the program and it came up with this log below. So far the problem has not reappeared.


Malwarebytes' Anti-Malware 1.31
Database version: 1492
Windows 5.1.2600 Service Pack 3

12/12/2008 11:11:54
mbam-log-2008-12-12 (11-11-54).txt

Scan type: Quick Scan
Objects scanned: 44323
Time elapsed: 2 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cs.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rc.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ps1.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cmds.txt (Malware.Trace) -> Quarantined and deleted successfully.

[funkydude]

That's good! Now that you're clean, disable MB, restore the files to a location you're not going to execute, preferably all in one folder. Zip up that folder with all the files with a password "infected" and send it to samples("at")eset.com with this threads URL n the subject. Hopefully in a few days eset will pick up the folder and delete the entire thing.